Cado Security Labs has uncovered a new campaign exploiting misconfigured Jupyter Notebooks to deliver cryptominers to both Windows and Linux systems. This campaign showcases how attackers are leveraging vulnerable cloud services for illicit cryptocurrency mining.
Jupyter Notebooks, interactive environments commonly used by data scientists, contain a Python IDE. Cado Labs’ honeypots detected the campaign attempting to exploit these notebooks.
The attack begins with an attempt to retrieve a bash script and a Microsoft Installer (MSI) file. The MSI file’s CustomAction points to an executable named “Binary.freedllBinary”.
The Windows executable “Binary.freedllbinary” loads a secondary payload, “java.exe,” using a Component Object Model (COM) object stored in c:\ProgramData. The command attempts to execute “java.exe” and, if that fails, retrieves “a.msi” from Github, which is the same as the original MSI. The binary then deletes itself.
“Java.exe,” a 64-bit binary disguised as Java Platform SE 8, retrieves “x2.dat” from either Github, Launchpad, or Gitee and stores it in c:\ProgramData. “X.dat” is an encrypted blob of data, decrypted using ChaCha20 with the nonce “aQFabieiNxCjk6ygb1X61HpjGfSKq4zH” and the key “AZIzJi2WxU0G,” and then decompressed with zlib.
The decrypted blob contains another binary – a cryptominer that targets various cryptocurrencies, including Monero, Sumokoin, ArQma, Graft, Ravencoin, Wownero, Zephyr, Townforge, and YadaCoin.
In the original Jupyter commands, if the MSI file retrieval fails, the attack attempts to retrieve and execute “0217.js,” a bash backdoor. This script retrieves two ELF binaries, “0218.elf” and “0218.full,” from the attacker’s server.
The script retrieves “0218.elf,” renames it, stores it in /etc/, makes it executable, and sets a cronjob to run every ten minutes. Similarly, “0218.full” is retrieved, renamed, stored in /tmp/ or /var/tmp/, made executable, and a cronjob is set to run every 30 or 40 minutes.
“0218.elf” is a 64-bit UPX packed ELF binary, similar in functionality to the Windows version’s “java.exe”. It retrieves encrypted data “lx.dat” from various sources. The data is decrypted with ChaCha20 and compressed with zlib. The decrypted data from “lx.dat” is another ELF binary, the Linux variant of the Windows cryptominer.
The cryptominer mines for the same cryptocurrency as the Windows version. The binary “0218.full” is the same as the dropped cryptominer, skipping the loader and retrieval of encrypted data. The report notes that it is unknown why the threat actor deploys two versions of the same cryptominer.
Cado Labs also found a parallel campaign targeting servers running PHP, using a PHP script “1.php” hosted on the same server. This script retrieves a binary based on whether the server is running Windows or Linux. The binaries “php0218.exe” and “php0218.elf” are the same as Binary.freedllbinary and “0218.elf,” respectively.
The report notes that while the exploitation of Jupyter is new, there have been previous campaigns with similar TTPs. In January 2024, Greynoise reported on Ivanti Connect Secure being exploited to deliver a cryptominer, featuring the same backdoor with payloads hosted on Github. Additionally, AnhLabs reported a similar campaign targeting unpatched Korean web servers in June 2024.
The report concludes that exposed cloud services remain a prime target for cryptominers and other malicious actors. Attackers actively scan for misconfigured or publicly accessible instances to run unauthorized cryptocurrency mining.
To mitigate these risks, organizations should enforce strong authentication, disable public access, and regularly monitor their cloud environments for unusual activity. Implementing network restrictions, auto-shutdown policies for idle instances, and cloud provider security tools can also help reduce exposure.
